Analysis of Bionet 4.01
SynopsisThe latest version of the BioNet trojan is now floating around the Internet, available to would-be hackers for beta testing. The author of the trojan, Rezmond, has been working on this trojan for quite some time now, and this analysis is intended to evaluate the threat and explain the workings of the latest version of this trojan.
New FeaturesThe release notes for the trojan list several new features, notably an almost total rewrite of the old code, a new and faster communications engine, an extended file manager and full compatibility with Windows 9x, ME, 2000 and XP. Unfortunately, the only people who will be able to take advantage of these new features are those who use trojans to steal and destroy data or wreak havoc in any of the other endless ways possible with trojans.
Server EditorThe trojan comes with a server editor that allows hackers and script kiddies to customize the trojan server. Notable features of the server editor is the ability to customize the trojan with scripts that are executed on a specific date and time, or even at regular intervals, once the trojan server compromises a machine. The trojan also has the ability to terminate security software, but this is nothing new as the feature was also available in the previous version of BioNet.
The trojan server contains a built-in IRC bot. IRC is a text-based chat system where users connect to IRC servers to talk with other people around the world in real-time. The trojan contains an automated IRC "bot", which can be controlled by a hacker or script kiddie via IRC. This means that if someone compromises your machine with BioNet 4, he can then access it via any computer on the planet, provided there's Internet access and an IRC client. The server can be configured to display a fake error message when started, giving a user the impression that perhaps something went wrong with the file he downloaded or that the program might be buggy. This is of course just a trick to take the user's mind off the fact that he could have started a trojan. The default error message is "Memory Read Address FF00121 This application has caused an ilegal[sic] operation!"